Weekly Edition
Return to the Security page
| |||||||||||||
Finding bugs lurking in the DOMThe Document Object Model (DOM) for HTML is quite useful for handling a variety of dynamic effects for web pages, but it is complex. It interacts with Javascript and CSS (or they with it) in ways that are sometimes surprising—the DOM has often been the source of browser bugs. A new project, from well-known DOM bug finder Michal Zalewski, seeks to systematically exercise the DOM in browsers to eliminate as many holes as it can. The project, with the unassuming name of DOM access checker (or dom-checker) was just announced on the full-disclosure mailing list (along with Bugtraq and others). Zalewski and colleague Filipe Almeida, both of Google, describe their tool as follows: DOM access checker is a tool designed to
automatically validate numerous aspects of domain security policy
enforcement (cross-domain DOM access, Javascript cookies, XMLHttpRequest
calls, event and transition handling) to detect common security attack or
information disclosure vectors.
The checker consists of a three HTML files and a Javascript configuration file that can be loaded from the internet via HTTP (a live version is available from the project website) or from the local disk, using the file:// protocol. Ideally, they should be loaded from both places and give the same results. The screenshot for a sample run using Firefox 3 (Fedora/3.0b3pre-0.beta2.12.nightly20080121.fc9 for the curious) is at left. After pressing the "Click here to begin tests" button, the Javascript test harness runs 15 major tests, each with many separate subtests. Each subtest reports success or failure to the screen as it runs. Firefox 3 failed 15 of the 1500 or so checks in the standard set of tests. According to the announcement, "DOM Checker had been used to find a number of major security bypass and information disclosure problems in several popular browsers." Zalewski and Almeida worked with the browser teams to resolve the most serious issues. But, common browsers will still fail up to 30 of the less important tests—for privacy, rather than security, holes. The hope is that the browser vendors pick up these tests to use as part of their quality assurance process. They could also be used for regression testing to find problems that have crept in while fixing other bugs or adding new features. The checker is a framework that could easily be extended with additional tests covering other areas of DOM functionality. With the advent of AJAX, DOM manipulations via Javascript are being used more and more by web sites, so tools to discover these kinds of bugs are welcome. (Log in to post comments)
Finding bugs lurking in the DOM Posted Jan 31, 2008 16:55 UTC (Thu) by adamgundy (subscriber, #5418) [Link] it obviously finds bugs.. my firefox (2.0.0.11/Win) deadlocked while running the tests.
Finding bugs lurking in the DOM Posted Feb 1, 2008 15:34 UTC (Fri) by ernest (subscriber, #2355) [Link] I just checked a few of my web browsers and was shocked by the large number of check failures in Apple's Safari with my nearly new Leopard:419! Konqueror reports the way more reasonable value of 36 Note that I am quite unable to juge the graveness of these check failures. Ernest.
Finding bugs lurking in the DOM Posted Feb 2, 2008 18:57 UTC (Sat) by foom (subscriber, #14868) [Link] I only had 16 failures, with Leopard's Safari Version 3.0.4 (5523.10).
Finding bugs lurking in the DOM Posted Feb 2, 2008 22:40 UTC (Sat) by ernest (subscriber, #2355) [Link] I have 3.0.4 (5523.10.6) Don't know whats happening. Maybe I should report a bug (Maybe they only see 16 too) Ernest.
Description of vulnerabilities? Posted Feb 5, 2008 17:28 UTC (Tue) by NAR (subscriber, #1313) [Link] Is there a description of the found vulnerabilities? It found 22 in Opera, but the names of the vulnerabilities seemed to indicate no serious problem.
|
|||||||||||||
![[DOM Checker]](/images/dom-checker_sm.png)